Adblock detected 😱

My website is made possible by displaying online advertisements to my visitors. I get it! Ads are annoying but they help keep this website running. It is hard to keep the site running and producing new content when so many people block ads. Please consider donating money to the nixCraft via PayPal/Bitcoin, or become a supporter using Patreon.

Steps to patch Meltdown and Spectre vulnerabilities on FreeBSD

Make a backup – it cannot be stressed enough how important it is to make a backup of your system before you do this. Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. I tested it on FreeBSD 11.x amd64 only.

Type the following shutdown command or reboot command# shutdown -r now Or# reboot

Step 4 – Verification for Meltdown vulnerability on FreeBSD

The mitigation is known as Page Table Isolation (PTI). PTI largely separates kernel and user mode page tables, so that even during speculative execution most of the kernel’s data is unmapped and not accessible. A patched kernel will automatically enable PTI on Intel CPUs. The status can be checked by typing the following sysctl command:# sysctl vm.pmap.ptivm.pmap.pti: 1 Another option is to download the Meltdown attack tools from here as follows:# cd /tmp # git clone https://github.com/dag-erling/meltdown Sample outputs:

The mdcheck tool attempts to determine if your system is vulnerable. The exact method varies from one platform to another. The result is indicated by the exit code: 0 for complete success, 1 for partial success (mostly seen in virtual machines) and 2 for complete failure:# mdcheck # echo $? The mdattack tool performs a Meltdown attack on a designated target specified as a virtual address and a length and prints the result:# mdattack

Step 4 – Verification for Spectre 2 vulnerability on FreeBSD

The patches for retpoline approach to mitigation of the Spectre variant 2 vulnerability are in work, meantime we provide IBRS-based mitigation on Intel CPUs. The IBRS mitigation main disadvantage is the significant performance penalty. Also, due to the situation with the Intel microcode releases, it is somewhat not trivial to find working and stable blob.

AMD promised to provide the same mechanism, but its presence on AMD CPUs is detected differently than on Intel CPUs. We do not yet see any AMD CPU with this capability, so the supposed code to detect and use IBRS on AMD is not committed. Also, it seems that AMD specifies that even if SMEP is enabled, user/kernel boundary IBRS protection still requires Return Stack Buffer (RSB) flush. On Intels, it is only needed for CPUs not providing the SMEP.

You can verify that the IBRS-enabling microcode is loaded by looking at the dmesg buffer after the microcode update. If the line Structured Extended Features3=0xc000000<IBPB,STIBP> appears in the CPU features report, then IBPB (the IBRS barrier) feature is patched in, so system can perform the mitigation on user/kernel boundary. Current status of the mitigation can be verified with the sysctl hw.ibrs_active. If the CPU feature is present and not disabled by the tunable/sysctl hw.ibrs_disable, it should indicate activation.# sysctl hw.ibrs_active # sysctl hw.ibrs_disable If you have access to the Intel microcode list, for instance https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf, you can look at the version of the currently patched microcode as well. Use sysutils/x86info from ports, load the cpuctl(4) driver (already required for microcode load), and use the ‘-a’ switch to see the microcode version among other things:# pkg install x86info # kldload cpuctl # x86info # x86info -a Sample session from above commands:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft: